gp
command in Gitpod. The generated JWT token includes claims about the workspace and it’s owner, and is exchanged with AWS for an STS token. That STS token is related to an IAM role and will inherit any access that is given to that IAM role. Modelling the access controls is the responsibility of the AWS account owner/administrator.
Sequence diagram of Authentication via OIDC using AWS with Gitpod
https://services.<gitpod-installation>/idp
companyname.gitpod.cloud
, the URL is: https://services.companyname.gitpod.cloud/idp
.sts.amazonaws.com
/.well-known/openid-configuration
to the end of the identity
provider’s URL to see the provider’s publicly available configuration document
and metadata. companyname.gitpod.cloud
, the
URL is: https://services.companyname.gitpod.cloud/idp/.well-known/openid-configuration
.gp idp token --decode --audience sts.amazonaws.com
inside a Gitpod workspace. Pay
attention to the sub
claim containing the repository URL that was used to
start that particular Gitpod workspace. This claim will be used in the
examples below.gitpod.io
) followed by the claim (:aud
, :azp
, :amr
, sub
). There are some examples below that show how this works. Read more about these OIDC condition keys here.
Here are some examples restricting who can assume the role depending on the sub
key contents, in this case, the repository from which a Gitpod Workspace was created.
This particular example, shows that only users that create a Gitpod Workspace from https://github.com/gitpod-io/my-application
can assume this role:
Example IAM assume role trust policy to grant access only to the repo gitpod-io/my-application
The same thing happens in the following example, the only difference is that the condition changed to StringLike
to consider all repositories from the https://github.com/gitpod-io/
organization. The same thing could be done to consider all branches from a respository, example: https://github.com/gitpod-io/my-application/*
.
aws sts assume-role-with-web-identity
.assume-role
command manually, or use the helper command within the gp
CLI, gp idp login aws
which will automatically update your AWS CLI credentials file.
The token expiry can be customized using --duration-seconds=<token-expiry-in-seconds>
, this configuration option exactly matches the --duration-seconds
configuration option offered by AWS CLI. The default is 3600
seconds. Note, to use a longer expiry your AWS Administrator must allow for longer sessions.
You can add the following to your gitpod.yml
to login to AWS using OIDC and then fetch a secret dynamically from AWS Secrets Manager for use in your application:
Example .gitpod.yml that assumes an AWS web identity role:
gp idp token --decode --audience sts.amazonaws.com
to print your workspace JWT token. Ensure that any claims against the sub
match the trust policy in AWS.